Senate Bill Seeks Standards For Cars' Defenses From Hackers

Share

Senate Bill Seeks Standards For Cars' Defenses From Hackers

Aerial view of a freeway interchange, LA

Getty Images

A few years ago, the notion of hacking a car or truck over the Internet to control steering and brakes seemed like a bad plot point from CSI: Cyber. Today, the security research community has proven it to be a real possibility, and it's one that at least two U.S. senators won't wait to see play out with real victims.

On Tuesday morning, Senators Ed Markey and Richard Blumenthal plan to introduce new legislation that's designed to require cars sold in the U.S. to meet certain standards of protection against digital attacks and privacy. The legislation, as described to WIRED by a Markey staffer, would call on the National Highway Safety and Transportation Administration and the Federal Trade Commission to together create new standards that automakers would be required to meet in terms of both their vehicles' defenses from hackers and how the companies safeguard any personal information such as location records collected from the vehicles they sell.

But the security industry has demonstrated that vehicles' increasing connections to the internet create new avenues for attack. Earlier Tuesday morning, in fact, WIRED revealed that two security researchers have developed and plan to partially release a new attack against hundreds of thousands of Chrysler vehicles that could allow hackers to gain access to their internal networks. As part of the same demo, those researchers, Charlie Miller and Chris Valasek, also demonstrated to WIRED that they could use the attack to wirelessly control the steering, brakes, and transmission of a 2014 Jeep Cherokee over the Internet. (A Markey spokesperson insists that the bill's release wasn't timed to WIRED's story.)

"Drivers shouldn’t have to choose between being connected and being protected," Markey wrote in a statement shared with WIRED. "Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car. We need clear rules of the road that protect cars from hackers and American families from data trackers."

Markey and Blumenthal’s bill will have three major points, according to a spokesperson’s description. First, it will require the NHTSA and the FTC to set security standards for cars, including isolating critical software systems from the rest of a vehicle's internal network, penetration testing by security analysts, and the addition of onboard systems to detect and respond to malicious commands on the car’s network. Second, it will ask those same agencies to set privacy standards, requiring carmakers to inform people of how they collect data from vehicles they sell, letting drivers opt out of that data collection and restricting how the information can be used for marketing. And finally, it will require manufacturers to display window stickers on new cars that rank their security and privacy protections.1

Automakers have gotten hints for months that legislation was in the works. In February, Markey's office released the results of a series of questions it had sent to 20 carmakers, quizzing them on their handling of digital security and privacy. The sixteen companies that responded gave answers that weren't reassuring. Nearly all of them said their vehicles now include wireless connections like cellular service, bluetooth and Wi-fi–the means by which remote hacking can occur. Only seven said they used independent security testing to check their vehicles' security. Only two said they had tools in place to stop a hacker intrusion. And an "overwhelming majority" collected location information about their customers' vehicles, in many cases offering only ambiguous claims about encrypting the collected data.

Despite that growing drum beat of warnings about digital attacks on cars, however, not everyone in the security community is so excited about legislation. Josh Corman, one of the cofounders of the security industry group I Am the Cavalry, which is focused on protecting things like medical devices and automobiles, was wary of a possible bill when he spoke with WIRED about the possibility earlier this month.

Corman worried that the ensuing law could be comparable to payment card industry rules that are widely seen as outmoded and ineffective. Instead, he said he hoped the auto industry could be nudged into innovating security features on its own in the same sort of competition that currently exists for traditional safety features.

"Laws are ill-suited for a dynamic space like this," Corman said at the time. "If this can catalyze [the industry] standing up straighter and getting a plan in place, that’s great. If it makes them less responsive in the face of new adversaries, that could be very bad."

Whether through legislation or industry competition, however, the pressure on carmakers to protect vehicles from hackers is growing. “If consumers don’t realize this is an issue, they should, and they should start complaining to carmakers," says Charlie Miller. "Cars should be secure."